Appl. No; 09/759.089 

Reply to Office Action of April 5, 2006 

Amendments to the Claims: 

This listing of claims will replace all prior versions and listings of claims in the 
application: 

Listing of Claims: 

1. (Currently Amended) In a computer network, a method for maintaining an 
acceptable use policy comprising: 

receiving input from a user selecting a subject matter category for use in 
monitoring network communications; 

monitoring TCP/IP network communications; 

storing at l east so me raw TCP/iP session data of said TCP/IP network 
communications on disk, even when the communication does not conform to a known 
protocol; 

testing the stored communications for the presence of at least one preselected 
criterion, wherein the preselected criterion is defined by a user, is associated with the 
user selected subject matter category, and comprises one or more regular expressions 
and wherein the raw TCP/iP session data including all TCP control and pavload data 
is tested for the presence of the at least one preselected criterion ; 

deleting the communications if the presence of said at least one preselected 
criterion is not determined; and 

storing the communications if the presence of said at least one preselected 
criterion is determined, 

2. (Previously Presented) The method of claim 1, wherein the preselected 
criterion comprises two or more subject matter categories, 

3. (Previously Presented) The method of claim 2, wherein said subject matter 
categories comprise regular expressions. 
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4. (Currently Amended) The method of claim 3, wherein said regular 
expressions are assigned a weight bv a user we i ghted bao o d on i n put rec e iv e d from a 

5. (Cance!ed). 

6. (Previously Presented) The method of claim 2, wherein the preselected 
criterion is weighted, 

/.(Previously Presented) The method of claim 4, wherein said regular 
expressions are weighted with either positive or negative values. 

8. {Previously Presented) The method of claim 7, wherein regular expressions 
within a subject matter category having a negative value are processed before regular 
expressions having a positive value, 

9. (Previously Presented) The method of claim 4, further comprising prioritizing 
the order in which regular expressions within a subject matter category are tested, 

10. (Previously Presented) The method of claim 9, wherein said prioritizing 
reduces the likelihood of false hits. 

11. (Canceiled), 

12. (Previously Presented) The method of claim 1, wherein the computer 
network is a wide area network, 

13. (Previously Presented) The method of claim 1, wherein the computer 
network is a local area network. 

14. (Previously Presented) The method of claim 2, wherein the presence of the 
preselected criterion in at least one of said categories comprises a match in a plurality 
of categories. 
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15. (Previously Presented) The method of claim 2, wherein said subject matter 
categories comprise key words. 

16. (Cancelled). 

1 /.{Previously Presented) The method of claim 2, further comprising assigning 
a threshold value to each subject matter category, 

18. (Previously Presented) The method of claim 17, wherein at least some of 
said subject matter categories comprise one or more predetermined expressions, 

19. (Currently Amended) The method of claim 18, further comprising receiving 
user input assigning a value to said predetermined expressions. 

20. (Previously Presented) The method of claim 19, further comprising summing 
the values of said predetermined expressions. 

21. (Previously Presented) The method of claim 20, wherein said 
communication is further stored if the sum of the values of said predetermined 
expressions comprising a subject matter category equal or exceed the threshold value 
assigned to said subject matter category, 

22. (Previously Presented) The method of claim 21 , wherein the threshold value 
of at least one subject matter category comprises equaling or exceeding the threshold 
value in a plurality of subject matter categories. 

23. (Previously Presented) The method of claim 21, wherein said threshold 
values assigned to said subject matter categories are variable. 

24. (Previously Presented) The method of claim 18, wherein said subject matter 
categories have a hierarchical relationship. 
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25. (Previously Presented) The method of claim 24, wherein said hierarchical 
relationship comprises defining the threshold value for at least one subject matter 
category as the presence of predetermined expressions in a plurality of other subject 
matter categories. 

26. (Previously Presented) The method of claim 24, wherein said hierarchical 
relationship comprises defining the threshold value for at least one subject matter 
category as matching or exceeding the threshold value assigned to a plurality of other 
subject matter categories. 

27. (Previously Presented) The method of claim 1 , further comprising outputting 
a report relating to the presence of said at least one preselected criterion. 

28. (Previously Presented) The method of claim 27, wherein said report 
identifies individuals whose use of the computer network included communications 
which matched preselected criterion. 

29. (Previously Presented) The method of claim 27, wherein said report 
identifies network addresses where communications were received or originated that 
included matched preselected criterion. 

30. (Previously Presented) The method of claim 2, further comprising outputting 
a report relating to the presence of preselected criterion, wherein said report identifies 
the number of matches in a category. 

31. (Currently Amended) The method of claim 30, wherein said report is in a 
graphical format and at least a portion of the stored communications is displayed in a 
user interface in a form matching that generated or viewed during the monitored 
TCP/IP network communications . 

32. (Previously Presented) The method of claim 27, wherein said report 
provides the text of all communications that match said preselected criterion. 
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33, (Currently Amended) The method of claim 27, wherein said report is in a 

human readable format and at least a portion of th e stored commynjcati^ is 

provided in the report in a form matching that generated or viewed during the 
monitored TCP/IP network communications . 

34, (Currently Amended) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing data on a network, wherein the data comprises multiple half sessions 
of TCP/IP network communications; 

removing data content that does not contain language elements; 

testing the remaining content for the presence of predetermined expressions, 
wherein the predetermined expressions comprise two or more categories each 
containing predetermined expressions that are defined by a user; 

maintaining a sum of values associated with said predetermined expressions 
found within at least one category; and 

storing the remaining data if the sum of values associated with said 
predetermined expressions within a category meets or exceeds a threshold value 
selected based on user input[[,]] i 

wherein said expressions are weighted with either positive or negative values; 

wherein the negative valued regular expressions are tested first; and 

wherein the testing and the maintaining are halted and the storing is performed 
when the sum of values within a category meets or exceeds the threshold value, 

35, (Previously Presented) The method of claim 34, wherein said computer 
network is a wide area network, 

36, (Previously Presented) The method of claim 34, wherein said computer 
network is a local area network. 

Claim 37-41 (Cancelled). 

6 



mo - 021738/000002 - 1S9624 v3 



AppL No; 09/759,089 

Reply to Office Action of April 5, 2006 

42. (Currentty Amended) The method of claim [[41]] 34, wherein said negative 
and positive valued regular expressions are separately tested in the order of largest 
value to smallest value. 

43. (Cancelled) 

44. (Previously Presented) The method of claim 34, wherein said expressions 
include regular expressions. 

45. (Previously Presented) The method of claim 34, v\^herein the threshold value 
for at ieast one category comprises meeting or exceeding the threshold value for a 
plurality of other categories. 

46. (Previously Presented) The method of claim 34, wherein the threshold value 
of at least one category comprises meeting or exceeding the threshold value for at 
least one other category and not meeting or exceeding the threshold value for at least 
another category. 

47. (Previously Presented) The method of claim 35, wherein said threshold 
value for a category is variable, 

48. (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions. 

49. (Previously Presented) The method of claim 48, wherein said report 
identifies individuals whose use of the computer network included communications 
which matched predetermined expressions, 

50. (Previously Presented) The method of claim 48, wherein said report 
identifies network addresses where communications were received or originated that 
included matched predetermined expressions. 
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51. (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions, wherein 
said report identifies the number of matches in a category. 

52. (Currently Amended) The method of claim 50, wherein said report is in a 
graphical format and at least a portion of the stored communications is displayed in a 
user interface in a form matching that generated or viewed during the monitored 
TCP/IP network communications . 

53. (Previously Presented) The method of claim 48, wherein said report 
provides the text of all communications that match said predetermined expressions. 

54. (Currently Amended) The method of claim 48, wherein said report is in a 
human readable format and at least a portion of the stored communications is 
provided in the report In a form matching that generated or viewed during the 
monitored TCP/IP network communications . 

55. (Currently Amended) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing TCP/IP data on a network; 

removing data content that does not contain language elements and storing a 
remaining content comprising a string of language elements separated by spaces 
without regard to original formatting of the captured TCP/IP data ; 

defining categories with weighted predetermined expressions, wherein the 
predetermined expressions are defined by a user; 

testing the remaining content for the presence of predetermined expressions; 

maintaining a sum of values associated with said predetermined expressions 
found within each category; and 

storing the remaining data if the sum of values associated with said 
predetermined expressions present within a category exceeds a threshold value. 
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56. {Previously Presented) The method of claim 55, wherein said remaining data 
is stored only if the sum of predetermined expressions exceeds the threshold value in 
a plurality of categories. 

57. (Previously Presented) The method of claim 55, wherein the threshold value 
for a category is defined as the presence of no predetermined expressions. 

58. (Previously Presented) The method of claim 55, wherein said computer 
network is a wide area network, 

59. (Previously Presented) The method of claim 55, wherein said computer 
network is a local area network. 

60. (Cancelled). 

61. (Previously Presented) The method of claim 55, further comprising 
outputting a report relating to the presence of predetermined expressions whose sum 
meets or exceeds the threshold value of a category. 

62. (Previously Presented) The method of claim 61, wherein said report 
identifies individuals whose use of the computer network included communications 
which contained predetermined expressions whose sum matched or exceeded the 
threshold value of at least one category. 

63. (Previously presented) The method of claim 61, wherein said report 
identifies network addresses where communications were received or originated that 
included predetermined expressions whose sum matched or exceeded the threshold 
value of at least one category. 
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64. (Currently Amended) The method of ciaim 63, wherein said report is in a 
graphical format and at least a portion of the stored communications is displayed in a 
user interface in a form matching that generated or viewed during the monitored 
TCP/iP network communications . 

65 {Previously Presented). The method of claim 1 wherein at least one stored 
half session comprises a plurality of independent parts, and the testing is performed 
individually on each independent part. 

66(Previously Presented). The method of claim 65 wherein the independent 
parts comprise individual email messages, 

67(Previous!y Presented), The method of claim 65 wherein the independent 
parts comprise message attachments. 

68 (Currently Amended). The method of claim 1 further comprising: 
prior to the testing, attempting to identify a protocol by comparing the stored W 
sessi on TCP/IP network communications with known protocol patterns , wherein when 
the attempting results in one of the known protocol patterns being identified, the 
testing of the stored communications involves testing of each independent part of the 
stored TCP/IP network communications associated with the identified one of the 
known protocoi patterns . 
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